platform_system_sepolicy/public/dumpstate.te
Calin Juravle 2b291121b9 SElinux: Clean up code related to foreign dex use
We simplified the way we track whether or not a dex file is used by
other apps. DexManager in the framework keeps track of the data and we
no longer need file markers on disk.

Test: device boots, foreign dex markers are not created anymore

Bug: 32871170
Change-Id: I464ed6b09439cf0342020ee07596f9aa8ae53b62
2017-03-07 10:59:26 -08:00

203 lines
6.5 KiB
Text

# dumpstate
type dumpstate, domain, domain_deprecated, mlstrustedsubject;
type dumpstate_exec, exec_type, file_type;
net_domain(dumpstate)
binder_use(dumpstate)
wakelock_use(dumpstate)
# Allow setting process priority, protect from OOM killer, and dropping
# privileges by switching UID / GID
allow dumpstate self:capability { setuid setgid sys_resource };
# Allow dumpstate to scan through /proc/pid for all processes
r_dir_file(dumpstate, domain)
allow dumpstate self:capability {
# Send signals to processes
kill
# Run iptables
net_raw
net_admin
};
# Allow executing files on system, such as:
# /system/bin/toolbox
# /system/bin/logcat
# /system/bin/dumpsys
allow dumpstate system_file:file execute_no_trans;
allow dumpstate toolbox_exec:file rx_file_perms;
# Create and write into /data/anr/
allow dumpstate self:capability { dac_override chown fowner fsetid };
allow dumpstate anr_data_file:dir rw_dir_perms;
allow dumpstate anr_data_file:file create_file_perms;
# Allow reading /data/system/uiderrors.txt
# TODO: scope this down.
allow dumpstate system_data_file:file r_file_perms;
# Read dmesg
allow dumpstate self:capability2 syslog;
allow dumpstate kernel:system syslog_read;
# Read /sys/fs/pstore/console-ramoops
allow dumpstate pstorefs:dir r_dir_perms;
allow dumpstate pstorefs:file r_file_perms;
# Get process attributes
allow dumpstate domain:process getattr;
# Signal java processes to dump their stack
allow dumpstate { appdomain system_server }:process signal;
# Signal native processes to dump their stack.
# This list comes from native_processes_to_dump in dumpstate/utils.c
allow dumpstate {
audioserver
cameraserver
drmserver
inputflinger
mediacodec
mediadrmserver
mediaextractor
mediaserver
sdcardd
surfaceflinger
}:process signal;
# Connect to tombstoned to intercept dumps.
unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)
# TODO: added to match above sysfs rule. Remove me?
allow dumpstate sysfs_usb:file w_file_perms;
# Other random bits of data we want to collect
allow dumpstate qtaguid_proc:file r_file_perms;
allow dumpstate debugfs:file r_file_perms;
# df for /storage/emulated needs search
allow dumpstate { storage_file block_device }:dir { search getattr };
allow dumpstate fuse_device:chr_file getattr;
allow dumpstate { dm_device cache_block_device }:blk_file getattr;
# Read /dev/cpuctl and /dev/cpuset
r_dir_file(dumpstate, cgroup)
# Allow dumpstate to make binder calls to any binder service
binder_call(dumpstate, binderservicedomain)
binder_call(dumpstate, { appdomain netd wificond })
# Vibrate the device after we are done collecting the bugreport
# For binderized mode:
hal_client_domain(dumpstate, hal_dumpstate)
binder_call(dumpstate, hal_vibrator)
# For passthrough mode:
allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };
# Reading /proc/PID/maps of other processes
allow dumpstate self:capability sys_ptrace;
# Allow the bugreport service to create a file in
# /data/data/com.android.shell/files/bugreports/bugreport
allow dumpstate shell_data_file:dir create_dir_perms;
allow dumpstate shell_data_file:file create_file_perms;
# Run a shell.
allow dumpstate shell_exec:file rx_file_perms;
# For running am and similar framework commands.
# Run /system/bin/app_process.
allow dumpstate zygote_exec:file rx_file_perms;
# Dalvik Compiler JIT.
allow dumpstate ashmem_device:chr_file execute;
allow dumpstate self:process execmem;
# For art.
allow dumpstate dalvikcache_data_file:dir { search getattr };
allow dumpstate dalvikcache_data_file:file { r_file_perms execute };
allow dumpstate dalvikcache_data_file:lnk_file r_file_perms;
# For Bluetooth
allow dumpstate bluetooth_data_file:dir search;
allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
allow dumpstate bluetooth_logs_data_file:file r_file_perms;
# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
allow dumpstate gpu_device:chr_file rw_file_perms;
# logd access
read_logd(dumpstate)
control_logd(dumpstate)
read_runtime_log_tags(dumpstate)
# Read /proc/net
allow dumpstate proc_net:file r_file_perms;
# Read network state info files.
allow dumpstate net_data_file:dir search;
allow dumpstate net_data_file:file r_file_perms;
# List sockets via ss.
allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
# Access /data/tombstones.
allow dumpstate tombstone_data_file:dir r_dir_perms;
allow dumpstate tombstone_data_file:file r_file_perms;
# Access /cache/recovery
allow dumpstate cache_recovery_file:dir r_dir_perms;
allow dumpstate cache_recovery_file:file r_file_perms;
# Access /data/misc/recovery
allow dumpstate recovery_data_file:dir r_dir_perms;
allow dumpstate recovery_data_file:file r_file_perms;
# Access /data/misc/profiles/{cur,ref}/
userdebug_or_eng(`
allow dumpstate user_profile_data_file:dir r_dir_perms;
allow dumpstate user_profile_data_file:file r_file_perms;
')
# Access /data/misc/logd
userdebug_or_eng(`
allow dumpstate misc_logd_file:dir r_dir_perms;
allow dumpstate misc_logd_file:file r_file_perms;
')
allow dumpstate { service_manager_type -gatekeeper_service -dumpstate_service -incident_service -virtual_touchpad_service }:service_manager find;
allow dumpstate servicemanager:service_manager list;
allow dumpstate devpts:chr_file rw_file_perms;
# Set properties.
# dumpstate_prop is used to share state with the Shell app.
set_prop(dumpstate, dumpstate_prop)
# dumpstate_options_prop is used to pass extra command-line args.
set_prop(dumpstate, dumpstate_options_prop)
# Read device's serial number from system properties
get_prop(dumpstate, serialno_prop)
# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow dumpstate media_rw_data_file:dir getattr;
allow dumpstate proc_interrupts:file r_file_perms;
allow dumpstate proc_zoneinfo:file r_file_perms;
# Create a service for talking back to system_server
add_service(dumpstate, dumpstate_service)
###
### neverallow rules
###
# dumpstate has capability sys_ptrace, but should only use that capability for
# accessing sensitive /proc/PID files, never for using ptrace attach.
neverallow dumpstate *:process ptrace;
# only system_server, dumpstate and shell can find the dumpstate service
neverallow { domain -system_server -shell -dumpstate } dumpstate_service:service_manager find;
# Dumpstate should not be writing to any generically labeled sysfs files.
# Create a specific label for the file type
neverallow dumpstate sysfs:file no_w_file_perms;